1. Field of the Invention
The present invention relates to data stream authentication, and more specifically to authentication schemes with adaptively controlled packet loss.
2. Description of the Related Art
In many cases, it is desirable to append authentication information to a stream of data to assure a recipient that the data came from a specific source and was not modified en-route. For example, if the data is being provided to an application, then it would be important for the application that the data has not been corrupted either maliciously or by accident.
In cryptography, there are two traditional mechanisms for permitting such authentication:                1. Message Authentication Codes (MAC)        2. Digital Signatures        
With a MAC, both the original source and the ultimate receiver must possess knowledge of a shared secret key. The sender applies a mathematical transformation involving the original data and secret key, and produces a tag. The receiver can then apply a similar transformation with the data, the tag, and the secret key to verify the origin and the integrity of the data.
With Digital Signatures, the key is split into two parts: a secret signing key and a public verification key. The public verification key can be used to verify anything signed using the secret signing key. The key is split in such a way that it is not possible to derive the private portion from the public portion. The sender applies a mathematical transformation involving the original data and secret signing key, and produces a signature. The recipient can then apply a similar transformation with the data, the signature, and the public verification key to ascertain the identity of the sender and the integrity of the data.
Digital signatures have a non-repudiation property that MACs do not. Namely, the signer cannot later deny having signed the document since the signing key is secret and was in the signer's possession. Of course, the signature owner can always claim that the secret signing key was stolen by some adversary.
Because of their nature, traditional authentication schemes do not tolerate any transformations to the data made by the source or by an intermediate. If a document is modified after it is signed, the verification step will so indicate, and will fail.
But for many applications, it is not only convenient, but sometimes necessary, to permit some specific types of modifications. For example, scalable video coding schemes, a high-level picture of the principle of which is shown in FIG. 1, have the property that a subset of the stream can be decoded and the quality is commensurate with the amount decoded. These schemes may encode video into a base layer and then zero or more “enhancement” layers. Just the base layer alone would be sufficient to view the stream. Enhancement layers are utilized to improve the overall quality.
Now, in an environment that is resource constrained, one might want to strip the enhancement layers and only send the base layers. If the entire stream has been digitally signed or authenticated in conventional ways, then by removing the enhancement layers, the original tag or signature becomes invalid. Thus the entire stream would have to be re-authenticated.
Alternatively, one may want to splice several streams of different qualities as in a simulcast situation. There may be one high-quality version of the stream, one medium-quality version of the stream, and one low-quality version of the stream. If network resources are available, then the high-quality stream may be sent, but if the network congestion goes up, then one may want to shift to the medium or low quality streams. In an alternate scenario, it could be the case that the receiver is mobile and is leaving one network environment and entering another that has different resource restrictions. The splicing situation can be considered a special case of a lossy situation where the quality of signal transmission is poor or otherwise is degraded, for example, by viewing the three data streams as one huge layered stream and imagining that two out of three frames are being discarded.
Yet another application is dynamic advertising. A source may include in a given slot a number of advertisements that can be displayed. An intermediary can then choose from among these choices which advertisement it would like to display. The choice can, for example, be based upon what the intermediary thinks will be the best advertisement for the target audience. The advertisements themselves can be created by an intermediary or some other party, and can be provided to the source either in their original form or may be hashed. The source would then include them when signing the stream.
Thus, signature schemes that can handle these types of losses in a secure manner are needed. Here, “secure” means that the ultimate end receiver can determine with overwhelmingly high confidence that the data it receives comes from a stream that was originally signed validly, but for which certain portions were removed. In addition, there is also a need for an intermediary that can adaptively and intelligently decide which blocks to drop.
One conventional solution to the controlled loss authentication problem is to authenticate each packet individually. This solution has two substantial drawbacks. First, in the case of using digital signatures, a fairly expensive computation must be performed for each packet. Second, in both the digital signature and MAC case, authentication information must be appended to each packet, which may not be feasible in consideration of efforts to remove portions of the stream stem to meet bandwidth constraints.
In C. K. Wong and S. S. Lam, Digital Signatures for Flows and Multicasts—IEEE/ACM Transactions on Networking, 7(4):502:513, August 1999, the authors propose a solution in which each data element is hashed, and then the resulting hashes are digested using a Merkle-tree. The root of the Merkle tree is authenticated. Then, with each data element, the co-nodes are sent, thereby allowing the receiver to authenticate without it. Since Wong and Lam deal with per-packet authentication, each packet contains authentication information. In particular, if |v| is the size, in bytes, of a Merkle tree node, h is the height of the Merkle tree, then each data element transmitted must be accompanied by |v|×|h| bytes. Thus, this approach does not deal with the controlled loss authentication problem, and is not bandwidth efficient.
In R. Johnson, D. Molnar, D. Song, and D. Wagner, Homomorphic Signature Schemes—RSA 2002, Cryptographer's Track, the authors propose a redactable signature scheme. It permits certain specific transformations on the data while still allowing the receiver to verify. It also allows arbitrary deletion of substrings in a signed document and has applications for censoring. Suppose n message blocks m=m1, . . . , mn are to be signed, and assume that n is a power of 2. The scheme starts with an initial secret key k and uses it to generate n keys k1, . . . , kn with the aid of a tree-like construction such as that of Goldreich, Goldwasser, and Micali (GGM), O. Goldreich, S. Goldwasser, and S. Micali, How to Construct Random Functions, Journal of the ACM, vol. 33, No. 4, 1986, pages 210-217. Then, to sign message m, the triplets (0, m1, k1), . . . , (0, mn, kn) are hashed in a Merkle-like tree and the root r is signed to produce the signature s. The difference between this tree and a regular Merkle tree is that the value 1 is pre-pended before the internal hashes are computed. With knowledge of k, anyone can verify s. However, in order to censor the data stream, the value of k is never published. Instead, only certain intermediate values of the GGM tree are published. These values correspond to the information needed to derive the final keys ki corresponding to the data elements which are not censored. With uncensored blocks, the intermediate GGM values, and the co-nodes in the Merkle-like tree, the signature can be verified. However, the above Homomorphic Signature Scheme takes precautions, via a GGM tree, to protect the confidentiality of censored data and requires all uncensored message blocks, all co-nodes, and all keying information in order to permit verification, and thus is not efficient.
Accordingly, there has been a need for a secure authentication scheme that permits controlled removal of certain blocks in a stream without weakening the receiver's ability to verify the authentication information, and without requiring confidentiality of censored data.